Andrew Auernheimer, Cyber Security, Leaks and the CFAA

US hacker-troll-activist Andrew Auernheimer, AKA Weev, has appealed his March conviction for unauthorized access of AT&T's web site in violation the Computer Fraud and Abuse Act (CFAA). The conviction, and the CFAA - the ever-debated "worst law in technology," per Columbia Law Professor Tim Wu - are a convenient and apt way to contemplate America’s treatment of the "other" in national security, and to recognize its tendency to criminalize what it cannot subdue.

Weev is in trouble for, essentially, accessing public data, available to anyone, a whole bunch of times. You might also say he's in trouble for pissing off the FBI. Both are true, probably - Weev queried AT&T's servers over and over with an automated program, each time accessing public information; for years he has flipped a bird to both authority and good taste. Over the course of doing so - no passwords, no "hacking," really - he picked up the email addresses of some powerful (and in many cases powerfully awful) people. As a result of this fairly major screw up on the part of AT&T, who brushed off Weev and a colleague when approached about the breach, he went to Gawker with the information, then got locked up.

Reach of the CFAA

This brings us to the law. The CFAA was originally the CADFAA (the Counterfeit Access Computer Fraud and Abuse Act), which might more accurately have been called the, "Ronald Reagan and some Senators saw the movie WarGames and freaked the fuck out Act," but in any case, today it is the most prominent means of prosecuting crimes that occur on computers and the internet. It is now unfathomably broad, and, depending on what court has the case, could criminalize simple things that everyone does every day, like break web sites' one-sided Terms of Use by lying about height or weight or age on a dating site. For a statute originally designed to avoid Nuclear War, this is quite an expansion.

What unites some CFAA conflict - and is the central line of criticism within the legal community - is what the phrases "without authorization" and "exceeds authorization" mean. The extreme interpretation mentioned above - the "contract-based" approach - is preferred by the Department of Justice. Other prefer that actual "hacking," like brute-forcing a pass word or otherwise subverting some security mechanism, be present. Finally, others still rely on theories of agency to discern the meaning of authorization. [One way to improve the law simultaneously across each theory is providing safe harbors for hackers to explore without being criminalized, provided they do not obtain material gain or cause material destruction; ingenuity and network security may in that way work side by side - think, perhaps, of the false dichotomy of privacy and security, actualized, actually.]

In Weev's case, which consisted of accessing a publicly available web site and then generally being a dick, his lawyers argued on appeal that because AT&T had itself made the information public, the information could not be accessed "without authorization" for purposes of the law. They pointed out that to criminalize his behavior would be to unacceptably criminalize the conduct of many Americans, and made challenges to other aspects of the ruling and the severity of the sentence as well.

Police Trolling and Trolling Police

An important flaw of the CFAA - and there are many - is the amount of power it offers prosecutors and police to arbitrarily or discriminatorily target individuals with politically unpopular views. Here, Weev, a troll with years of political activity under his belt, got 41 months for scraping information from a public web site. In California, a law firm that similarly manipulated URLS to access unintentionally public health records didn't face prosecution, but instead won a settlement for their actions. Many have argued that seemingly discriminatory results like these force the law afoul of the Constitution's Due Process prohibition of vagueness, which requires, basically, that citizens know what will be criminalized, and that prosecutors be unable to arbitrarily or discriminatorily enforce the law. This is not the first time that political activists have been targeted for prosecution.

And honestly, while it's easy to laugh at some of the circumstances, it's really not funny. Why? Weev is serving a longer sentence than many rapists because… Because he made an enemy of the FBI? Because he showed no contrition? Because he made a multinational company look foolish? Any way you cut it, that's not justice. The CFAA is dangerous. It's also episodic of the drama - and it is so often drama and so rarely of substance - playing out on an international stage with Edward Snowden and the PRISM leaks. That debate and the one over Weev's conviction and the CFAA are in many ways the same one.

Hackers are the New Violent Jihadists

Much of the reason the CFAA is as strict as it is - some, incredibly, want it stricter - is the hyperbolic, alarmist monster that US political discourse has become. Violent jihadists, meet hackers - your replacements as flavor of the week in America's shop of scary strawmen. Tor Ekeland, who represents both Weev and former Reuters social media editor Matthew Keys in their CFAA cases, said, "hackers are the new communists." He's not wrong, and that's a major problem. It shouldn't be that we have moved from a Red Scare to a Brown to a Binary one.

But when Gen. Keith Alexander says (by anonymous leak, someone call Oliver Willis) he fears that Anonymous is going to disrupt power grids (surely crocodile tears given the incredible power cyber-hysteria has brought him), this is absolutely the same conversation as the one that demands outsized penalties for political hackers, and the one that leads authoritarians liberal and conservative to demand Edward Snowden's head. When Janet Napolitano warns of a "Cyber 9/11," she is making the argument that justifies mass surveillance and lets us barely blink an eye when a Weev gets almost three and a half years in prison for changing the letters and numbers in a URL.

The CFAA in its current form is a powerful mistake, and its use is a reflection of a government that seeks to criminalize and silence what it does not understand. Weev's conviction, if upheld, will not be just, nor will it be the last.

Andrew Auernheimer, Cyber Security, Leaks and the CFAA

US hacker-troll-activist Andrew Auernheimer, AKA Weev, has appealed his March conviction for unauthorized access of AT&T's web site in violation the Computer Fraud and Abuse Act (CFAA). The conviction, and the CFAA - the ever-debated "worst law in technology," per Columbia Law Professor Tim Wu - are a convenient and apt way to contemplate America’s treatment of the "other" in national security, and to recognize its tendency to criminalize what it cannot subdue.

Weev is in trouble for, essentially, accessing public data, available to anyone, a whole bunch of times. You might also say he's in trouble for pissing off the FBI. Both are true, probably - Weev queried AT&T's servers over and over with an automated program, each time accessing public information; for years he has flipped a bird to both authority and good taste. Over the course of doing so - no passwords, no "hacking," really - he picked up the email addresses of some powerful (and in many cases powerfully awful) people. As a result of this fairly major screw up on the part of AT&T, who brushed off Weev and a colleague when approached about the breach, he went to Gawker with the information, then got locked up.

Reach of the CFAA

This brings us to the law. The CFAA was originally the CADFAA (the Counterfeit Access Computer Fraud and Abuse Act), which might more accurately have been called the, "Ronald Reagan and some Senators saw the movie WarGames and freaked the fuck out Act," but in any case, today it is the most prominent means of prosecuting crimes that occur on computers and the internet. It is now unfathomably broad, and, depending on what court has the case, could criminalize simple things that everyone does every day, like break web sites' one-sided Terms of Use by lying about height or weight or age on a dating site. For a statute originally designed to avoid Nuclear War, this is quite an expansion.

What unites some CFAA conflict - and is the central line of criticism within the legal community - is what the phrases "without authorization" and "exceeds authorization" mean. The extreme interpretation mentioned above - the "contract-based" approach - is preferred by the Department of Justice. Other prefer that actual "hacking," like brute-forcing a pass word or otherwise subverting some security mechanism, be present. Finally, others still rely on theories of agency to discern the meaning of authorization. [One way to improve the law simultaneously across each theory is providing safe harbors for hackers to explore without being criminalized, provided they do not obtain material gain or cause material destruction; ingenuity and network security may in that way work side by side - think, perhaps, of the false dichotomy of privacy and security, actualized, actually.]

In Weev's case, which consisted of accessing a publicly available web site and then generally being a dick, his lawyers argued on appeal that because AT&T had itself made the information public, the information could not be accessed "without authorization" for purposes of the law. They pointed out that to criminalize his behavior would be to unacceptably criminalize the conduct of many Americans, and made challenges to other aspects of the ruling and the severity of the sentence as well.

Police Trolling and Trolling Police

An important flaw of the CFAA - and there are many - is the amount of power it offers prosecutors and police to arbitrarily or discriminatorily target individuals with politically unpopular views. Here, Weev, a troll with years of political activity under his belt, got 41 months for scraping information from a public web site. In California, a law firm that similarly manipulated URLS to access unintentionally public health records didn't face prosecution, but instead won a settlement for their actions. Many have argued that seemingly discriminatory results like these force the law afoul of the Constitution's Due Process prohibition of vagueness, which requires, basically, that citizens know what will be criminalized, and that prosecutors be unable to arbitrarily or discriminatorily enforce the law. This is not the first time that political activists have been targeted for prosecution.

And honestly, while it's easy to laugh at some of the circumstances, it's really not funny. Why? Weev is serving a longer sentence than many rapists because… Because he made an enemy of the FBI? Because he showed no contrition? Because he made a multinational company look foolish? Any way you cut it, that's not justice. The CFAA is dangerous. It's also episodic of the drama - and it is so often drama and so rarely of substance - playing out on an international stage with Edward Snowden and the PRISM leaks. That debate and the one over Weev's conviction and the CFAA are in many ways the same one.

Hackers are the New Violent Jihadists

Much of the reason the CFAA is as strict as it is - some, incredibly, want it stricter - is the hyperbolic, alarmist monster that US political discourse has become. Violent jihadists, meet hackers - your replacements as flavor of the week in America's shop of scary strawmen. Tor Ekeland, who represents both Weev and former Reuters social media editor Matthew Keys in their CFAA cases, said, "hackers are the new communists." He's not wrong, and that's a major problem. It shouldn't be that we have moved from a Red Scare to a Brown to a Binary one.

But when Gen. Keith Alexander says (by anonymous leak, someone call Oliver Willis) he fears that Anonymous is going to disrupt power grids (surely crocodile tears given the incredible power cyber-hysteria has brought him), this is absolutely the same conversation as the one that demands outsized penalties for political hackers, and the one that leads authoritarians liberal and conservative to demand Edward Snowden's head. When Janet Napolitano warns of a "Cyber 9/11," she is making the argument that justifies mass surveillance and lets us barely blink an eye when a Weev gets almost three and a half years in prison for changing the letters and numbers in a URL.

The CFAA in its current form is a powerful mistake, and its use is a reflection of a government that seeks to criminalize and silence what it does not understand. Weev's conviction, if upheld, will not be just, nor will it be the last.